Iranian state hackers reload their domains, release off-the-shelf RAT malware

[Karlston]

Iranian state hackers reload their domains, release off-the-shelf RAT malware

As CISA warns of sharp rise in Iran hack attempts on US, researchers see same elsewhere.

Enlarge / Iran's hacking groups are scaling up, hitting Saudi companies and other organizations, according to a Recorded Future report.

Getty Images

A new report from the threat research firm Recorded Future finds that activity from APT33—the Iranian "threat group" previously tied to the Shamoon wiper attack and other Iranian cyber-espionage and destructive malware attacks—has risen dramatically, with the organization creating over 1,200 domains for use in controlling and spreading malware. The research, conducted by Recorded Future's Insikt Group threat intelligence service, found with some confidence that individuals tied to APT33 (also known as "Elfin") had launched attacks on multiple Saudi companies, including two healthcare organizations—as well as an Indian media company and a "delegation from a diplomatic institution."

 

The majority of these attacks have involved "commodity" malware—well-known remote access tools (RATs).  According to the report:

APT33, or a closely aligned threat actor, continues to control C2 domains in bulk. Over 1,200 domains have been in use since March 28, 2019, alone. Seven hundred twenty-eight of these were identified communicating with infected hosts. Five hundred seventy-five of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs. Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections, a RAT not previously associated with APT33 activity. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity.

After Symantec revealed much of the infrastructure used by APT33 in March, the Iranian group parked a majority of its existing domains and registered over 1,200 new ones, with only a few remaining active. In addition to the collection of RATs, about a quarter of the domains are tied to unknown activity—and a half-percent are connected to StoneDrill, the upgraded Shamoon wiper first seen in 2017.

Can’t tell the players without a scorecard

The use of publicly available malware is a common part of APT33's operations, as is the operation of massive command and control infrastructures. Much of Iran's cyber-operations are apparently contracted out  through a hierarchy that is managed by the Nasr Institute, Iran's state organization overseeing computing and networking. The institute acts on behalf of the Iranian Government and Iranian Revolutionary Guard Corps.

 

According to the Insikt Group research, operations are divided into compartmentalized operations across about 50 different contracted organizations.  As a result, there's some overlap between APT33's activities and other Iranian state-sponsored threat groups. These organizations "conducted activities such as vulnerability research, exploit development, reconnaissance, and the conducting of network intrusions or attacks," according to data from an Iniskit Group source, and "each of these discrete components, in developing an offensive cyber capability, were purposefully assigned to different contracting groups to protect the integrity of overarching operations," the researchers reported.

 

One of these contractors, the research determined, is the Kavosh Security Center, an information security organization tied to the "Muddywater" threat group responsible for espionage against a Turkish military supplier.

 

The use of commodity malware makes many of these operations technically indistinguishable from criminal activity aside from infrastructure—and intent. Many of the attacks are based on phishing, brute-force attacks such as "credential stuffing" and other common criminal tactics.

 

"Organizations in industries that have been historically targeted by APT33"—such as aviation, military, and energy companies—"should be increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access, specifically from phishing campaigns, webshells, and third-party (vendor and supplier) relationships," the Iniskit researchers noted. That statement matches up with the warnings issued recently by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

 

 

 

Source: Iranian state hackers reload their domains, release off-the-shelf RAT malware (Ars Technica)

[mkc21]

how come their hackers are so good? do they learn from the chinese?

[steven36]

3 hours ago, mkc21 said:

how come their hackers are so good? do they learn from the chinese?

Its fine for CIA backed groups like Recorded Future to post things  about  what other countries does to  the USA  but all the stuff USA   does when people speak about it they stay anonymous in fear of there freedom maybe even there life  and countries can play it off like  nothing happen . Countries not from the West  are not going to admit to any kind of cyber breach affected  them and the 3 letter agencies   are not going admit it ether so China , Iran and Russia's pride  helps out 5 eyes to keep what they do  a secret . Always in  the Western News the USA plays the victim  if you noticed tell whistle blowers rat them out . All sides post propaganda and the CIA help get RF started just like they helped Google get started.

 

The group that posted the report are paid contractors  for the CIA and NSA.  If they was any danger of what Iran was doing to the USA you think the NSA and CIA would let a group they have ties with post it ?  Always the news is very one sided  but if you ask  any well known  researchers about the CIA or NSA's malware they refuse to  go in detail about it. They only  rat out non western state hackers  that the reason they ban Kaspersky   because they exposed western state hackers as well. Security research in the USA cant be trusted no more since that happen .  IIs bull because if they was any threat  Homeland Security  would have the hackers domains revoked there using USA  domains .com .net .org to attack according to RF and we all know they revoked domains for way less so  its a little far fetched . 

 

Seee here CIA-backed Recorded Future gets new $25 million investment

https://www.cyberscoop.com/recorded-future-series-e-25-million/

 

Also its here there CIA backed

https://en.wikipedia.org/wiki/Recorded_Future

 

Google use to be paid contractors but they been cutting a lot  of it out  but they still friends and help each other out ,others replaced them like Amazon and Microsoft  are paid Government contractors  for National Security.  That's why the Government has such and interest  in BIG Tech because they give them big contracts so in a sense the GOVT is there boss.  The Trump's love Tim Cook from Apple they buddies and they ask him for advice,